Spring Security Hello World Example

Posted on August 16, 2011 ,     Last modified : November 7, 2012

By mkyong

Spring Security allows developer to integrate security features with J2EE web application easily, it highjacks incoming HTTP request via servlet filters, and implements “user defined” security checking.

In this tutorial, we show you how to integrate Spring Security 3.0 with Spring MVC web application to secure URL access. After implemented Spring security, to view the content of the page, users need to key in correct “username” and “password”.

Technologies used :

1. Spring 3.0.5.RELEASE
2. Spring Security 3.0.5.RELEASE
3. Eclipse 3.6
4. JDK 1.6
5. Maven 3

Note
Spring Security 3.0 requires Java 5.0 Runtime Environment or higher

1. Directory Structure

Review the final directory structure of this tutorial.

2. Spring Security Dependencies

To use Spring security 3.0, you need “spring-security-core.jar“, “spring-security-web.jar” and “spring-security-config.jar“. Spring libraries are available in Maven central repository.

File : pom.xml

 
  3.0.5.RELEASE

    org.springframework spring-core ${spring.version}   org.springframework spring-web ${spring.version}   org.springframework spring-webmvc ${spring.version}   org.springframework.security spring-security-core ${spring.version}   org.springframework.security spring-security-web ${spring.version}   org.springframework.security spring-security-config ${spring.version}    

3. Spring MVC Web Application

A simple Spring MVC to return a “hello.jsp” page, via URI “/welcome“. Later use Spring security to secure this URL access.

File : HelloController.java

package com.mkyong.common.controller;
 
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
 
@Controller
@RequestMapping("/welcome")
public class HelloController {
 
 @RequestMapping(method = RequestMethod.GET)
 public String printWelcome(ModelMap model) {
 
  model.addAttribute("message", "Spring Security Hello World");
  return "hello";
 
 }
 
}

File : hello.jsp

<html>
<body>
 <h1>Message : ${message}</h1> 
</body>
</html>

File : mvc-dispatcher-servlet.xml

 xmlns="http://www.springframework.org/schema/beans"
 xmlns:context="http://www.springframework.org/schema/context"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="
        http://www.springframework.org/schema/beans     
        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/context 
        http://www.springframework.org/schema/context/spring-context-3.0.xsd">
 
  base-package="com.mkyong.common.controller" />
 
 
   class="org.springframework.web.servlet.view.InternalResourceViewResolver">
    name="prefix">
  /WEB-INF/pages/

name="suffix"> .jsp  

4. Spring Security : User Authentication

Create a separate Spring configuration file to define Spring security related stuffs. It tells, only user with correct username “mkyong” and password “123456″ is allow to access URI “/welcome“.

Below Spring configuration should be self-explanatory.

File : spring-security.xml

 xmlns="http://www.springframework.org/schema/security"
 xmlns:beans="http://www.springframework.org/schema/beans" 
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://www.springframework.org/schema/beans
 http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
 http://www.springframework.org/schema/security
 http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">
 
  auto-config="true">
   pattern="/welcome*" access="ROLE_USER" />
 

  name="mkyong" password="123456" authorities="ROLE_USER" />  

5. Integrate Spring Security

To integrate Spring security with web application, just declare “DelegatingFilterProxy” as servlet filter to intercept incoming request.

File : web.xml

 id="WebApp_ID" version="2.4"
 xmlns="http://java.sun.com/xml/ns/j2ee" 
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee 
 http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
 
 Spring MVC Application

  mvc-dispatcher org.springframework.web.servlet.DispatcherServlet 1 mvc-dispatcher /   org.springframework.web.context.ContextLoaderListener   contextConfigLocation /WEB-INF/mvc-dispatcher-servlet.xml, /WEB-INF/spring-security.xml   springSecurityFilterChain org.springframework.web.filter.DelegatingFilterProxy   springSecurityFilterChain /*  

6. Demo

That’s all. But wait, where’s the login form? No worry, if you do not define login form, Spring will create a simple login form automatically.

Custom Login Form
Read this “Spring Security form login example” to understand how to create a custom login form in Spring Security.

1. Access “http://localhost:8080/SpringMVC/welcome“, Spring Security will intercept the request and redirect to “http://localhost:8080/SpringMVC/spring_security_login” automatically. And display the Spring predefined authentication form.

URL : http://localhost:8080/SpringMVC/spring_security_login

2. Error messages will be displayed if wrong username and password are provided.

URL : http://localhost:8080/SpringMVC/spring_security_login?login_error

3. If correct username and password are provided, Spring security will redirect to the original requested URL and display the content of the page.

URL : http://localhost:8080/SpringMVC/welcome

Download Source Code

Download it – Spring-Security-3-HelloWorld-Example.zip (8 KB)

References

1. Spring Security Features
2. Spring 3 MVC hello world example
3. Spring Security form login example (authentication)

Tags : hello world spring security